Our Voice

Disclaimer: This article is for educational purposes only and does not constitute legal advice. Every organization’s situation is unique, and you should always seek professional counsel when it comes to HIPAA and privacy compliance. Chase Design does not write legal content such as privacy policies, or review and approve compliance processes, but we think that these tools and processes will help give you the best foundation for approval from your legal team.

Compliance Issues Are Not Going Away

Privacy compliance has gone from being a niche legal requirement to a central part of building and running a website. Twenty years ago, most websites didn’t have interactive features beyond a simple contact form. Now, forms, analytics, marketing pixels, cookies, and integrations are everywhere, and with them comes a much higher risk of accidentally collecting or exposing sensitive information. Regulators have also raised their expectations, and states like California and Colorado have joined HIPAA in shaping how websites handle personal data.

At Chase Design, we’ve seen first hand how messy compliance can get when businesses try to address it late in the game. We’ve worked with clients who unknowingly collected sensitive health data through WordPress forms or who passed identifiers into Google Analytics without realizing the consequences. Through solving those issues, we’ve developed a process to help others design with compliance in mind from the beginning. That way, businesses can avoid expensive cleanup and set themselves up for long-term trust with their users.

In this article, we’ll break down what it takes to make your website HIPAA and privacy compliant if you serve clients in the U.S., exploring the following topics:

• The difference between PII and PHI
• How analytics tools like GA4 can unintentionally capture sensitive data
• Why your location matters under different country & state regulations
• Tools that can help like HIPAA-compliant forms, cookie disclosures & user preference platforms
• Organizational tasks like database cleanup, internal access policies, and the importance of appointing a data officer
• User experience design
• Yearly compliance reviews

Location Makes a Difference

Where your users live also matters. In Europe, the General Data Protection Regulation (GDPR) applies if you target or monitor EU residents.

In the United States, there is no single national privacy law, so states have stepped in.

• California has the CCPA/CPRA, which gives residents rights to access, delete, and opt out of the sale of their personal data: https://oag.ca.gov/privacy/ccpa
• Colorado has the CPA, which requires businesses to respect “universal opt-out” signals: https://coag.gov/resources/colorado-privacy-act/
• Virginia has the VCDPA, which includes similar protections: https://law.lis.virginia.gov/vacode/title59.1/chapter53/

Many states have regulations with vast grey areas so it’s very important to gain an understanding and have a legal review by someone familiar with the specifics of where you do business. Even if HIPAA does not apply to your business, these state laws might. Building your website with consent tools and clear disclosures will make it easier to adapt as more states pass similar laws.

Your Site May Inadvertently Collect Sensitive Data

Many businesses are surprised when they discover their website has been storing sensitive data without a plan. This often happens in three common areas.

First, there are forms. Even a simple “Contact Us” form can become a HIPAA concern if users type health information alongside their name. When those submissions land in a regular inbox or in a WordPress database, the business has already crossed into non-compliance.

Second, there are analytics tools. Google Analytics prohibits sending personally identifiable information into its platform, but unintentional leaks happen often. For example, if your appointment form creates a thank-you page with a URL like /thank-you?name=John&condition=anxiety, that information may be logged by Google.

Third, there are marketing pixels. Tools like Facebook Pixel and Google Ads are designed to track behavior, but they can also capture identifiers hidden in URLs or form fields. Once transmitted, that data leaves your control.

In each case, the business didn’t “mean” to collect PHI, but regulators don’t distinguish between intention and effect. The key is to configure these tools carefully and keep sensitive data out of them in the first place.

Understand the Difference Between PII and PHI

To understand compliance, you first need to understand the difference between PII (Personally Identifiable Information) and PHI (Protected Health Information).

PII is any data that can be used to identify someone, either by itself or in combination with other data. This includes:

• Names, phone numbers, and email addresses
• Government-issued identifiers like Social Security numbers
• Home addresses and geolocation data
• IP addresses, device IDs, or account usernames

For a clear, technical definition, the National Institute of Standards and Technology has a helpful guide here: https://csrc.nist.gov/publications/detail/sp/800-122/final.

PHI, by contrast, is health-specific. It includes health information linked to an individual, such as:

• Medical conditions
• Prescriptions
• Test results
• Insurance or billing information

As soon as that health information is connected with an identifier like a name, date of birth, or email, it qualifies as PHI under HIPAA. More details are available from HHS here: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.

The key lesson: You may not intend to collect PHI, but if someone enters both health details and their name into your contact form, you are now storing PHI—and HIPAA rules apply.

The Right Forms Matter

Forms are one of the most direct ways users give you sensitive data. Choosing a HIPAA-capable form tool can prevent problems before they start. Solutions like Cognito Forms (https://www.cognitoforms.com), Jotform HIPAA accounts (https://www.jotform.com/hipaa/), and Formstack (https://www.formstack.com/solutions/hipaa) all provide encryption and will sign a Business Associate Agreement.

A few best practices make forms safer:

• Only collect the minimum data you need
• Do not send PHI in autoresponders or email notifications
• Store submissions in HIPAA-compliant systems rather than your CMS database

Forms are often the front door to compliance. Getting them right sets the tone for the rest of your data handling.

Managing Cookies with Transparency

Cookies may not seem as serious as PHI, but they still matter under state laws. Users must be told what cookies your site uses and often must be given a choice to opt out.

Tools like CookieYes (https://www.cookieyes.com), Cookiebot (https://www.cookiebot.com), and OneTrust (https://www.onetrust.com) can add banners to your site that explain cookie use and block unnecessary scripts until a user gives permission. California and Colorado both require honoring privacy signals such as Global Privacy Control, so your banner should do more than just notify—it should respect user choices.

Writing Privacy Policies That Work

HIPAA requires a Notice of Privacy Practices if you are a covered entity. This document should explain how you use PHI, what rights individuals have, and what obligations you hold. Guidance from HHS is available here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/index.html.

State laws also require consumer-facing privacy policies that are broader. They should describe:

• What categories of data you collect
• How that data is used
• Who you share it with
• How users can request deletion or opt out

The FTC has a straightforward guide for businesses here: https://www.ftc.gov/business-guidance/resources/protecting-personal-information-guide-business.

Adding a cookie policy, or at least a dedicated cookie section, ensures that your disclosures cover the tracking technologies many regulators are now focused on.

Limiting GA4 From Seeing PII or PHI

Since Google Analytics 4 (GA4) is so common, it’s worth exploring how to reduce risk. Google makes it clear that GA4 is not HIPAA-compliant out of the box, but you can take steps to prevent it from storing personal identifiers, and with the correct technology on your site, limit any information that could be picked up in analytics.

Some practical changes include:

• Review your URL structures. Avoid passing along names, emails, or phone numbers as query parameters from forms. Also, Configure GA4’s “Exclude Query Parameters” setting to strip sensitive fields from reports. Follow the referenced below for information on how to make that happen
• Use GA4 data filters. These filters can block events that contain potentially sensitive information
• Be careful with Enhanced Measurement. GA4 automatically tracks form interactions, but this feature can pick up fields that contain identifiers. Many businesses disable Enhanced Measurement on pages where health or personal data is entered. Using the compliant forms we mention later will stop GA4 from being able to see any of that information
• Scrub events in Google Tag Manager. If you’re not using compliant forms, GTM can be set up to detect email addresses, phone numbers, or other identifiers and remove them before they are sent to GA4

For Google’s full policy on PII, see: https://support.google.com/analytics/answer/6366371.

Taking the time to configure GA4 properly won’t guarantee to make it HIPAA-compliant, but it will significantly reduce the risk of unintentional data capture.

UX / UI: Design for Clarity and Trust

While compliance often feels like a technical or legal challenge, it also intersects with user experience (UX). A website that hides its privacy information or makes navigation confusing can frustrate users and reduce trust.

For healthcare-related websites, it’s especially important to make navigation obvious and intuitive. Users should be able to quickly distinguish between:

• Patient or client services
• Information for providers or staff
• Careers or administrative resources

By clearly labeling these areas and creating easy-to-use menus, you not only improve compliance but also create a friendlier, more transparent experience. Simple UX principles like using plain language, visible buttons, and logical groupings of information go a long way toward reassuring users that your site is both professional and trustworthy.

Cleaning Up Old Databases

Many businesses are surprised to discover that their old WordPress installations are quietly storing sensitive submissions from years ago. Plugins like Contact Form 7 or WPForms often save entries in the database by default. If those entries contain PHI, they are a liability.

Cleaning up means reviewing old databases, exports, and backups. Some data may need to be securely migrated to a HIPAA-compliant storage solution. Other data may need to be securely deleted. The NIST SP 800-88 publication provides guidance on data sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final.

Ignoring old data does not make it go away. Proactively reviewing and cleaning databases helps ensure that past practices do not create future problems.

Controlling Access Inside Your Organization

Policies and tools only work if your team uses them properly. HIPAA’s “minimum necessary” standard means that only people who need access to PHI should have it. That requires role-based access, logging, and regular audits. When employees leave or roles change, access should be revoked immediately.

This isn’t just bureaucracy—it’s protection. Limiting access reduces the chances of mistakes and builds confidence that data is safe.

Appointing a Privacy and Security Lead

HIPAA requires organizations to appoint a Privacy Official and a Security Official. In small businesses, the same person may hold both roles. The key is that there is accountability. Someone needs to be responsible for ensuring policies are written, vendors are compliant, and data practices are reviewed. Without that accountability, compliance efforts quickly fade.

Making Compliance Part of the Routine

Compliance is not something you do once. HIPAA requires regular risk assessments, and state laws change frequently. A good rhythm is to review your compliance practices once a year. This should include:

• Reviewing what data you collect and why
• Checking that forms and analytics are properly configured
• Making sure your cookie banner respects opt-out signals
• Updating your privacy policy to reflect new laws
• Reviewing vendor agreements and BAAs

Treating compliance as an ongoing habit keeps you prepared and prevents small issues from growing into large ones.

Conclusion

Privacy and HIPAA compliance are not just legal checkboxes. They are ways to demonstrate respect for the people who trust you with their information. By configuring tools like GA4 responsibly, using HIPAA-capable forms, managing cookies transparently, cleaning up old WordPress databases, and regularly updating your practices, you build a foundation of trust.

At Chase Design, we have guided clients through this process many times, and we know that the effort pays off. Compliance does not just protect you from penalties—it reassures your clients that their information is safe in your hands. That trust is one of the most valuable assets your business can have.

If you have questions or a need for a compliance review on your website, just reach out and schedule a time with our team. We’d be glad to help share our experience and lead you in the right direction.